As members of the Fusion Middleware Architecture Group (a.k.a the A-Team), we get exposed to a wide range of challenging technical issues around security and Oracle Fusion Middleware. We're using this blog to answer common questions and provide interesting solutions to the real-world scenarios that our customers encounter every day.
NOTICE: All our post and much more can now be found at http://www.ateam-oracle.com/category/identity-management/

Tuesday, December 20, 2011

I have been involved with many customer's who are integrating OAM 11g with Universal Content Manager 11g (UCM) and I know that trying to follow the OAM documentation can be daunting. So I put together my own integration document/Blog. Not to re-invent the wheel, this post utilizes what we already have in terms of documentation. Think of this as a checklist and the steps that I implemented to get my own internal environment working.

Prerequisites

Install and configure UCM

Install a weblogic plug-in on OHS that fixes a bug for UCM. http://www.oracle.com/technetwork/middleware/ias/downloads/wls-plugins-096117.html

High Level Steps/Checklist

Configure an OHS server to proxy all request to UCM (/cs, /adfAuthentication and /_ocsh).

When asked to enter the admin and password, make sure the user is part of the system store you configured for OAM (e.g testuser1/welcome1)

2. Continuing Section 5.2.3.1Notes:

You can configure the OAM Asserter and LDAP/OVD Authenticator before installing a webgate. Once the LDAP/OVD authenticator is configured, recommend to test UCM and make sure that you can bind to a user that is created within the provider you configured.

The order of the provider’s should be as follows:

OAM Identity AsserterThe following ‘Common’ parameters should be set as:

Leave the default values for the ‘Provider Specific’ tab.

OVD Provider‘Common’ tab:

‘Provider Specific’ tab:

Based on the backend LDAP repository, make sure that you specify the correct object class and user name attribute within the LDAP filters. In our case, we used ‘inetorgperson’ and ‘uid’ for a user object and ‘groupofuniquenames’ and ‘uniqumembers’ for groups.

3. After Installing and configuring OAM 11g……

a. Recommend installing the webgate now. No good links in the documentation to install webgate 11g. Use the following: http://download.oracle.com/docs/cd/E21764_01/install.1111/e12002/webgate.htm#CACCBCFF

Notes:Section 20.2.4You will need the gcc libraries. Can get them here:http://www.oracle.com/technetwork/middleware/ias/downloads/101401-099957.html

Look for ‘GCC Libraries for Oracle Identity Federation’

Use the following cpio file to extract the gcc libraries:cpio -idvm <cpio-file>

b. Next you will need to copy the artifacts that were generated in step 3 from section 15.2.2.2. Copy the ‘ObAccessClient.xml’ and ‘cwallet.sso’ located in the ‘output/UCM-INT’ directory under ‘rreg’ to the /config directory.

Webgate installation completed. Make sure that the oam managed server is running and restart the OHS server.

Trouble shooting tips:

Cannot login via OAM – A few things to verify:

Make sure that the LDAP Authentication Module in the OAM console is pointing to the correct data store.

Make sure that the OVD provider in WLS matches the same OAM data store configuration.

Login looping issue

In some cases we see a looping issue when using IE when the time sync of off between the webgate machine and the OAM server machine.

2 comments:

Thanks for writing this. We used this in conjunction with MOSS note: 1323182.1 to get this integration mostly working. We are using a custom authentication scheme (contextType is customWar). But when we access /cs it shows the default OAM login page and not our custom login scheme although we set the /adfAuthentication resource in OAM to use the custom scheme. Appreciate any suggestions on how to fix this. TIA.